Vulnerability CVE-2021-33054: Information

Description

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-33054
Published: June 4, 2021
Modified: March 29, 2022
Error type identifier: CWE-347

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
sogosisyphus5.1.1-alt15.10.0-alt1ALT-PU-2021-1970-1273362Fixed
sogop105.1.1-alt15.9.1-alt1ALT-PU-2021-1970-1273362Fixed
sogoc10f15.1.1-alt15.9.1-alt1ALT-PU-2021-1970-1273362Fixed
sogoc9f25.0.0-alt1.c9f2.15.0.0-alt1.c9f2.1ALT-PU-2022-1952-1300616Fixed
sogop115.1.1-alt15.10.0-alt1ALT-PU-2021-1970-1273362Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
  • Release Notes
  • Third Party Advisory
https://www.sogo.nu/news.html
  • Product
https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
  • Third Party Advisory
[debian-lts-announce] 20210712 [SECURITY] [DLA 2707-1] sogo security update
  • Mailing List
  • Third Party Advisory
DSA-5029
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:inverse:sogo:*:*:*:*:*:*:*:*
      Start including
      3.0.0
      End excliding
      5.1.1
      cpe:2.3:a:inverse:sogo:*:*:*:*:*:*:*:*
      Start including
      2.0.6
      End excliding
      2.4.1

      Configuration 2

      cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
      cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
      cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top